# ============================================================
# ZCLAW SaaS Backend - Nginx Reverse Proxy Configuration
# ============================================================
# Prerequisites:
#   - SSL certificate (e.g., Let's Encrypt certbot)
#   - Nginx installed (apt install nginx)
#
# Installation:
#   sudo cp deploy/nginx.conf /etc/nginx/sites-available/zclaw-saas
#   sudo ln -s /etc/nginx/sites-available/zclaw-saas /etc/nginx/sites-enabled/
#   sudo nginx -t && sudo systemctl reload nginx
#
# Replace placeholders:
#   <YOUR_DOMAIN>  - e.g., api.zclaw.com
#   <CERT_PATH>    - e.g., /etc/letsencrypt/live/api.zclaw.com/fullchain.pem
#   <KEY_PATH>     - e.g., /etc/letsencrypt/live/api.zclaw.com/privkey.pem
# ============================================================

# ---- HTTP -> HTTPS Redirect ----
server {
    listen 80;
    listen [::]:80;
    server_name <YOUR_DOMAIN>;

    # Let's Encrypt challenge (keep if using certbot)
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# ---- HTTPS Server ----
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name <YOUR_DOMAIN>;

    # ---- SSL Configuration ----
    ssl_certificate     <CERT_PATH>;
    ssl_certificate_key <KEY_PATH>;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 1d;

    # ---- Security Headers ----
    add_header X-Frame-Options       DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection      "1; mode=block" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header Referrer-Policy       strict-origin-when-cross-origin always;

    # ---- Gzip Compression ----
    gzip on;
    gzip_types
        application/json
        application/javascript
        text/plain
        text/css
        text/xml
        text/javascript;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_vary on;

    # ---- Request Size Limit ----
    client_max_body_size 10m;

    # ---- Proxy to ZCLAW SaaS Backend ----
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;

        # ---- WebSocket / SSE Support ----
        proxy_set_header Upgrade    $http_upgrade;
        proxy_set_header Connection "upgrade";

        # ---- Standard Proxy Headers ----
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # ---- SSE Streaming Support ----
        # Disable buffering for Server-Sent Events
        proxy_buffering off;
        proxy_cache off;

        # Long timeout for streaming responses (5 minutes)
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;

        # Disable request buffering for large payloads
        proxy_request_buffering off;
    }

    # ---- Health Check Endpoint (no logging) ----
    location = /health {
        proxy_pass http://127.0.0.1:8080/health;
        access_log off;
    }

    # ---- Logging ----
    access_log /var/log/nginx/zclaw-saas-access.log;
    error_log  /var/log/nginx/zclaw-saas-error.log warn;
}